security and risk analysis questionnaire
TRANSCRIPT
Risk and Security AnalysisPractice Name: ___________________________________
RISK ANALYSIS (R) Have you identified the
§ 164.308(a)(1)(ii)(A) EPHI within your
“Conduct an accurate and thorough organization? This
assessment of the potential risks and includes EPHI that you
vulnerabilities to the confidentiality, create, receive, maintain or
integrity, and availability of electronic transmit. Please note that
protected health information held by EPHI may be resident on
the covered entity.” computer workstations,
servers or on portable
devices such as laptops,
and PDAs.
RISK MANAGEMENT (R) What security measures are
§164.308(a)(1)(ii)(B) already in place to
“Implement security measures protect EPHI - this can be
sufficient to reduce risks and a comprehensive view of all
vulnerabilities to a reasonable and measures, whether
appropriate level to comply with administrative, physical or
§164.306(a).” technical, such as an over
arching security policy;
door locks to rooms where
EPHI is stored; or the
use of password- protected
files.
SANCTION POLICY (R) Have you developed,
§ 164.308(a)(1)(ii)(C) applied and implemented
“Apply appropriate sanctions against policies specific to
workforce members who fail to comply violations of the security
with the security policies and policies and procedures? If
procedures of the covered entity.” so, do they provide
appropriate sanctions for
workforce members who
fail to comply with your
security policies and
procedures? (i.e., have you
included your sanction
policy in your workforce
manual and trained your
staff on the policy?)
AUTHORIZATION AND/OR Are the procedures used by
SUPERVISION (A) your workforce consistent
§ 164.308(a)(3)(ii)(A) with your access policies
“Implement procedures for the (i.e., do people who should
authorization and/or supervision of have access actually have
workforce members who work with that access? Are people
electronic protected health information who should not have
or in locations where it might be access prevented from
accessed.” accessing the
information?)
PASSWORD MANAGEMENT (A) § Does your workforce
164.308(a)(5)(ii)(D) training address topics
“Implement procedures for creating, such as not sharing
changing, and safeguarding passwords with other
passwords.” workforce members or not
writing down passwords
and leaving them in open
areas?
DATA BACKUP PLAN (R) Do your procedures
§ 164.308(a)(7)(ii)(A) identify all sources of
“Establish and implement procedures EPHI that must be backed
to create and maintain retrievable up such as patient
exact copies of electronic protected accounting systems,
health information.” electronic medical or
health records, digital
recordings of diagnostic
images, electronic test
results, or any other
electronic documents
created or used that
contain EPHI?
WRITTEN CONTRACT OR OTHER Do you have contracts
ARRANGEMENTS (R) in place with outside
§ 164.308(b)(4) entities entrusted with
“Document the satisfactory assurances health information
required by this section through a generated by your
written contract or other arrangement office? If so, do the
with the business associate that meets contracts provide
the applicable requirements of assurances that the
§164.314(a) [(the Business Associate information will be
Contracts or Other Arrangements properly safeguarded?
Standard)].”
FACILITY SECURITY PLAN (A) § Do your office
164.310(a)(2)(ii) policies and
“Implement policies and procedures to procedures identify
safeguard the facility and the controls to prevent
equipment therein from unauthorized unauthorized physical
physical access, tampering, and theft.” access, tampering,
and theft of EPHI?
These could include
locked doors, signs
warning of restricted
areas, surveillance
cameras, alarms, and
identification
numbers and security
cables on computers.
MAINTENANCE RECORDS (A) Has your office
§ 164.310(a)(2)(iv) implemented policies
“Implement policies and procedures to and procedures that
document repairs and modifications to specify how repairs
the physical components of a facility and modifications to a
which are related to security (for building or facility
example, hardware, walls, doors and will be documented to
locks).” demonstrate that the
EPHI is protected?
This standard does not have Do your office policies
corresponding implementation and procedures specify the
specifications. However, compliance use of additional
with the standard itself is required (R). security measures to
protect workstations with
EPHI, such as using privacy
screens, enabling password
protected screen savers or
logging off the workstation?
DISPOSAL (R) Does your office have
§ 164.310(d)(2)(i) a method of
“Implement policies and procedures to destroying EPHI on
address the final disposition of equipment and media
electronic protected health you are no longer using?
information, and/or the hardware or For example, have you
electronic media on which it is stored.” considered purchasing hard
drive erasure software for a
planned upgrade of
office computers?
DATA BACKUP AND STORAGE Do you have a
(A) process in place to
§ 164.310(d)(2)(iv) create a retrievable,
“Create a retrievable, exact copy of exact copy of EPHI
electronic protected health before the equipment
information, when needed, before on which it is stored
movement of equipment.” is moved?
UNIQUE USER IDENTIFICATION Do you have a
(R) process in place to
§ 164.312(A)(2)(I) assign each user of
“Assign a unique name and/or your system a unique
number for identifying and tracking user identifier? If so,
user identity.” can the identifier be
used to track user
activity within
information systems
that contain EPHI?
This may or may not
be reasonable or
appropriate for a solo
clinician where access
has been granted to all
office staff.
AUTOMATIC LOGOFF (A) Do your current
§ 164.312(a)(2)(iii) information systems
“Implement electronic procedures that have an automatic
terminate an electronic session after a logoff capability to
predetermined time of inactivity.” ensure that unauthorized
users do not access data on
unattended workstations?
This standard does not have Does your system
corresponding implementation require the input of
specifications. However, compliance something known
with the standard itself is required (R). only to the person or
entity seeking access
to EPHI, (such as a
password or PIN)
prior to granting the
requested access?
ENCRYPTION (A) Based on your
§ 164.312(e)(2)(ii) required risk analysis,
“Implement a mechanism to encrypt is encryption needed
electronic protected health information to protect the
whenever deemed appropriate.” transmission of EPHI
between your office
and outside
organizations? If not,
what measures do you
have in place to
ensure the protection
of this information?
Practices and providers
might consider
password protection
of documents or files
containing EPHI
and/or prohibiting the
transmission of EPHI
via email.
Risk and Security Analysis Conducted by:
___________________________________
Printed Name
_________________________________________________
Signature Date